As most of my friends know, I have a tendency to run late. Well I was running late the other day holding up my friend, Adam Pridgen. He was patiently waiting for me in the hotel lobby and started playing with the kiosk. I beleive the particular software is kiosksafe. I had ran into it before and knew that it did a fair job. The software not only remaps/intercepts kep strokes but it also appears to run some sort of rootkit. When a particular API is called — or possibly a window has a certain name, the software locks the site down. It’s most unfortunate.
I threw iKat at it for fun. I saw iKat at defcon and always wanted to give it a try. It did a fair job of crashing the hell out of the Kiosk but it gave me fairly limited results.
Everyone knows the typical file-menu type hacks trying to find something that opens upĀ the system in a somewhat clever manner. Those didn’t work, but Office had potential. So I decided to play. In the end, I got a fair amount of access with a Word doc. 
First, change the default configuration paths for Word. This just makes sure Word opens up with high level access. I generally set it to C:\
The below screenshots show most of the process
Double click the icon and hopefully it works for you. cmd.exe sometimes has issues but IE, Windows Media Player, etc work a little better
Sample word doc provided shortly.